Presto can be configured to enable authorization support for HTTP endpoints to allow system administrators to control access to different HTTP endpoints in Presto.
Role Based Access Control#
Every HTTP endpoint in Presto is secured by a set of roles and can only be accessed by identities that belong to one of those roles. There are three roles defined in Presto:
user: Users who should have access to external endpoints like those needed to launch queries, check status, get output data and provides data for UI.
internal: Internal components of Presto (like coordinator and worker) which will have access to endpoints like launching tasks on workers and fetching exchange data from another worker.
admin: System administrators who will have access to internal service endpoints like those to get node status.
The following steps need to be taken in order to enable authorization:
Presto authorization requires authentication to get the accessor’s principal, so make sure you have authentication enabled.
If TLS/SSL is configured properly, we can just use the certificate to identify the accessor.http-server.authentication.type=CERTIFICATE
It is also possible to specify other authentication types such as
JWT. Additional configuration may be needed.node.internal-address=<authentication type>
To enable authorization, the interface
com.facebook.airlift.http.server.Authorizer must be implemented and bound.
It performs the actual authorization check based on the principal of incoming
request and the allowed roles of endpoint being requested.
You can either use the preset
ConfigurationBasedAuthorizer or implement
This plugin allows you to turn on authorization support by specifying a mapping from roles to a regex for matching identities. Use the following steps to start using Configuration-based authorizer:
Create a role to identity regex mapping and store it in a file.
user=.* internal=coordinator admin=su.*
Specify the path to the mapping file in
configuration-based-authorizer.role-regex-map.file-path=<path to mapping file>
Install the Guice module
Configure Authorization Settings#
Authorization settings is configured in the
config.properties file. The
authorization on the worker and coordinator nodes are configured using the same
set of properties.
The following is an example of the properties that need to be added to the
http-server.authorization.enabled=true http-server.authorization.default-policy=ALLOW http-server.authorization.default-allowed-roles=USER,ADMIN http-server.authorization.allow-unsecured-requests=false
Enable authorization for the Presto.
Should be set to
The default authorization policy applies to endpoints
without allowed roles specified. Can be set to
The roles allowed to access the endpoints without
explicitly specified when default-policy is set to
Skip authorization check for unsecured requests.
Default value is
http-server.authorization.allow-unsecured-requests is provided as a way to
transition from HTTP to HTTPS with authorization and is a security hole
since it allows unauthenticated requests to skip authorization checks. Only
enable during the transition period and disable this setting once you have
completed migrated to using HTTPS.